Summary

After a 4.3 upgrade, SAML authentication may fail for Controller UI users with an indication that CSRF verification failed.

In 4.3, SAML authentication now validates the request URL against the Controller URL. This issue results from request URLs that differ from internal Controller URL, whether due to a proxy or to accounts in a multi-tenant Controller with different URLs per account.

Affected Software

This affects SAML-authenticated Controllers that are proxied or multi-tenant Controllers that have distinct URLs per account.

To confirm that you are affected by this issue, check the server log file (<controller_home>/logs/server.log), for a warning log entry containing "validateRequestedUrl failed", as in the following sample: